[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: to reiterate, why are there no security updates on the front page? (Or, 17 security holes the security team hasn't told you about)

Previously Joey Hess wrote:
> Why is the last security update listed on the www.debian.org web page,
> and the last security announcement posted to debian-security-announce,
> from way back in March? 

One reason: we probably need one or two extra people in the security
team. We had someone join the security team last year only to leave
before doing anything, and another this year who is still a member
but doesn't seem to have done anything yet. 

I'm guessing that we'll get a bunch of replies from people stating that
they want to volunteer. We'll probably ignore or reject most of those
since we want people we know we can trust. 

> While a quick grep of debian-changes for this month and April for
> "security" finds:

Lets ignore all the ones from potato and woody, we don't support that.
That leaves:

> xlockmore (4.12-4.1) stable; urgency=high
>    * Non-maintainer upload by security team
>    * Fix buffer overflow in resource handling

I recompiled and uploaded that just before I left for SANE
and didn't get around to sending the advisory. m68k recompiles take
a bit too long unfortunately.

> kon2 (0.3.9b-0slink1) stable; urgency=high
>    * [Security FIX] buffer overrun security problem fixed.

Vague memories, I'm pretty certain the maintainer neglected to contact us
at any rate.

> roxen (1.2beta2-3.1) stable; urgency=high
>    * Security fix - html encoding the output of the tags
>      referer, accept-language, clientname, file
>      Attacker can include code to be parsed by the server

Hmm, very old one. I remember having serious issues recompiling it for
some architectures, combined with the fact that we don't non-free isn't
a part of Debian and security.d.o isn't split into main/contrib/non-free
for slink made me decide to ignore it.

> floppybackup (1.3-2) stable; urgency=high
>    * Security Fix - fixed temporary file use

See kon2, but without the vague memories.

> mtr (0.28-1) stable; urgency=high
>    * Security fix for theoretical stack-smash-and-fork attack -
>      s/seteuid/setuid/ in mtr.c
> nmh (0.27-0.28-pre8-4) stable; urgency=high
>    * Applied patch to fix security hole which allowed untrusted shell
>      code to be executed.

These two were announced, no idea why they show up with a later date.


 / Generally uninteresting signature - ignore at your convenience  \
| wichert@liacs.nl                    http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |

Attachment: pgpdqOB7bjeY6.pgp
Description: PGP signature

Reply to: